It’s spring, and that means that it’s time for some spring cleaning. At least on this site.

I go over my blogs and other sites every once in a while, and over time, I change — so my web sites also have to change. And it’s time for a change of format and etc. here on Simple Security Tips.

Don’t take this too terribly harshly, but the real reason we have security problems is you. You simply don’t know what to watch out for. You don’t know where Trouble comes from or what it looks like. You want stuff that you know is too good to be true to actually be true — but it’s not going to be true today, tomorrow, or ever.

And the criminals know that and they take advantage of it. Why do you think you still get zillions of spam emails promoting “enhancement” products? Because people still click on the links in the emails and buy the stuff. Because people let their systems be compromised (as opposed to hackers actually popping their computer) so that they can be joined to botnets and used to send the stuff in the first place. Because people download what they think is a free game but it turns out to be a password stealing Trojan that allows the criminal to log into their webmail account and send garbage to everybody in their address book.

Sure, even the “experts” get hacked. Sometimes. It happens. But most of the bad stuff that happens to good people like you can, unfortunately, be blamed on you. Sometimes you don’t know any better. Sometimes you do but do the wrong thing anyway. But I know, from my years of experience in computer (and other types of) security, a lot of it can be prevented if you just know what’s really going on.

Sure, I have the “creds”. I was doing risk assessments and managing key inventories for military units 30 years ago (yeah, I’ve been “doing” security for a long time. And don’t ever tell me that you lost your keys! No mercy at all…). Certifications? Got five computer security certifications at the moment. They come in handy when I need to deep inspect packet data to inspect TCP flags, packet sizes and sequences… Lots of boring stuff.

But my point is that having the creds and qualifications to do that kind of stuff has put me in positions where I see what’s really going on. I know where the problems lie, and for the most part, it’s people doing stuff they shouldn’t be doing. My experience has shown me that a lot of the problems can be prevented if people will simply do the right thing. What’s so hard about that?

You have a good brain. You’re a smart person. I’m going to help you exercise that muscle between your ears (otherwise known as a “brain”) so that you stop doing the wrong thing and start doing the right things.

You can do this. I know you can! And I’m going to help you learn what you need to learn without your having to get a doctorate in security. And for those times when you do everything right but bad things happen anyway (and they will), I’m going to tell you how to protect yourself and recover as fast as possible.

But this old blog is B-O-R-I-N-G!!! Heck, I don’t even think my mother reads it any more (OK, there are a few hundred who swing by every month… visitors, that is — not mothers!). We’re going to change all that.

Enough of the sugar coating. Enough of the stuff that reads like a paper I wrote during my senior year of college (where my professor gave me an “A” without reading it because it was too painful to actually read). Let’s start talking about the real security problems and what you can do about it.

And the first “something” is for you to stop doing stuff that you know you shouldn’t be doing. Don’t open emails from people you don’t know. Stop accepting every friend and game request you get on “that” social networking site. Don’t click on ads if they seem too good to be true. Don’t do recreational surfing from a computer you use to produce income. Don’t hide your house key under a flowerpot or door mat. Don’t leave your car unattended with the engine running, even if the doors are locked (rock plus velocity = broken window and stolen car). You’ve probably heard it all before, but you need to hear it again — and you need to hear it from me.- somebody who’s “been there, done that” — and is about to wear the T-shirt (and write the book… or at least the web site!).

Welcome to the new Simple Security Tips. Almost.

I don’t like debt. In fact, one of my personal goals is to get out of debt entirely, including my house. About $400,000 should do it…

As a part of my dislike of debt, I’ve tried to stay away from credit cards; however, some things I read recently are leading me to reconsider this decision. Instead, I think I’m going to keep one credit card and use it for purchases. But the one “hard and fast” rule is that I’ll pay it off, in full, every month before the due date so as to prevent interest and service charges — and, of course, to prevent adding to my debt.

But since this isn’t a personal finance blog (although there is lots of security in being out of debt!), let me talk about the security reasons for this (OK, and a couple of other good reasons that really have nothing to do with security…):

• Credit cards have better fraud protection than debit cards. The card that I’m going to re-open has actually called me on several occasions to verify transactions. Of course, I have a love / hate relationship with them; I love the way they monitor accounts for fraud activity but DESPISE their totally unforgiving attitude when your payment is even a second late (which is why I won’t carry a balance). In fact, once I paid them, but they sat on my payment for 3 days until it was late. Only then did they process my payment while tacking on late fees. I’m sorry, but if you give me money, it’s not going to take me even 3 seconds before I process it!
• Rewards. This particular card (and I won’t mention the name; no free publicity) does offer cash back rewards. If I do my regular shopping with them and pay it in full every month, I’ll squeeze a bit of cash out of them without them squeezing any cash out of me. It’s a tightrope walk, but in the end, I’m going to get a lot more out of them then they got out of me…
• Convenience. OK, this isn’t really a reason since I use my debit card everywhere now, but by putting everything on this credit card, I won’t have to enter my PIN quite so much. Instead, I’ll be signing stuff more.

Two out of three reasons isn’t bad, is it?

But I like the idea of fraud protection for my purchases, especially those made online. And using this credit card is going to better protect me from fraud.

So I’m going to give that credit card another try. Here are my conditions, and I only recommend that you try this IF you agree to all of the following:

1. You don’t buy more stuff than you do now. You only use the credit card to buy stuff that you’re buying now with cash or a debit card. In other words, if your grocery bill is $100 a week when you pay with your debit card, it’s still $100 a week when you pay with the credit card.
2. You don’t use the cash piling up in your bank account (from using the credit card) to buy other stuff. You keep it for when the credit card bill arrives.
3. You keep track of what you spend. Receipts, etc.
4. As soon as you get the credit card bill, you pay it. In full. Every month. It won’t be a problem because your spending habits are still the same and the money is sitting in the account, waiting for your monthly statement.
5. If you notice any differences between what you actually spent and what’s on your credit card statement, you notify the credit card issuer immediately. Call them (or use their website contact form), but follow up with a written letter.
6. Keep track of your payments. If the issuer starts playing games with your payments and tries to tack on fees, make a big, public fuss about it if they don’t fix it right away.

One last thing: Some credit cards offer even more benefits, i.e. insurance when you rent a car. While these are nice and you should definitely take advantage of them if they fully meet your needs (based on your judgment, not mine), then by all means enjoy these benefits. But this should never be a reason for getting a credit card, in my opinion.

Between the discipline I think I’ve developed, the fraud protection, the cash back awards, and the convenience of not having to push four buttons every time I want to buy something, I think the benefits are worth it. I can’t wait to milk the credit card company dry!

NOTE: I redacted the name of the actual web site from this article due to a legal representative of the site leaving an unapproved comment about this article being inaccurate — without pointing out the inaccuracies. This is an OPINION blog, based on my observations and experience — and I saw what I saw. Nevertheless, since I have no desire to argue with those who are trying to lure people into thinking that they are a legitimate institution of higher education, I’ve substituted the name of the institution with “[redacted]“. Feel free to leave a comment if you want to know the real name; I might email it to you…

While reading a security article about a cross site scripting vulnerability on Twitter (which has since been fixed; no need to worry about that), I saw an ad for the “University of [redacted] Online” (URL is www.[redacted].com but I won’t give them an actual link). The ad offered an “Internet Marketing Certificate” after an 8 week course of study.

Wow, I thought — an actual university offering an Internet Marketing certificate? Well, not quite — at least in my opinion.

This link leads to the *REAL* University of [redacted] (well, it did until I redacted it; now it leads to Jumbo Joke…). It’s a Jesuit Catholic College (one of only 28 in the world) and is the oldest university in [redacted], California (according to their website). And since they have a real, live .edu domain, they must be a real, legitimate university.

I also like their mission statement:

[redacted] exists to provide a rigorous, world-class education to a new generation of leaders, who will work to create a more humane and just world.

You aren’t going to reach that goal with an 8 week Internet Marketing certificate!

But what about the people who seemingly have ripped off their good name? Let’s do a bit of digging, shall we?

[redacted].com is hosted on IP address 67.134.215.5, which is registered to B.isk Education of Tampa, Florida.

Obviously there must be a [redacted], Florida — right?

Uh, no. In fact, I can’t find another [redacted] in the United States.

So to me, B.isk Education seems to be taking advantage of the REAL [redacted]‘s reputation to make a quick buck. Riding the coattails and all that.

I didn’t find out much about B.isk Education, and much of what I did find was on sites like Ripoff Report (where people write about their experience and the site owner uses it to extort hush money from the website owner, so take what you read there with a grain of salt). I won’t link to the site, but you can go to Google and type in “B.isk Education site:ripoffreport.com” and get the link. Not very flattering, to say the least. And it’s just opinion, of course… They could be an outstanding institution that just made a poor choice in this instance.

So I think B.isk Education is confusing people with their “fake” University of [redacted] Online web site. And while the reviews are mixed, I’d personally stay away from anything that has B.isk Education written on it. Yes, you’d get an education, but probably not the kind you really want!

If you want a college education, go directly to the college or university of your choice and deal with them. No need to get yourself embroiled with an intermediary.

And legitimate institutions of higher learning will, for the most part, have a .edu domain, not a .com domain. If you visit a website that claims to be a educational institution but they don’t have a .edu domain, be careful.

And I can only hope that the 8 week Internet Marketing certificate comes in a roll so that you can get SOME use out of it…

I received several copies this morning (in different email accounts) of an email that claimed to be from the United Parcel Service (UPS). Here’s the text of one of them (The “From” name and “Subject” varies, but contains “UPS Tracking Number”):

Dear customer!

The courier company was not able to deliver your parcel by your address.
Cause: Error in shipping address.

You may pickup the parcel at our post office personaly!

Please attention!
The shipping label is attached to this e-mail.
Please print this label to get this package at our post office.

Please do not reply to this e-mail, it is an unmonitored mailbox.

Thank you.
United Parcel Service of America.

My first hint that something was amiss was because I live in Germany, so “United Parcel Service of America” wouldn’t be delivering to my home…

To make a long story short, don’t open that shipping label. If you do, you will have infected your computer with Trojan.Win32.Bredolab.Gen.1(v) (as identified by Sunbelt Software’s VIPRE).

If you did open it, you can get a fully functional 30 day free trial of Sunbelt Software’s VIPRE Anti-Virus and Anti-Spyware software by clicking here (you can also get a copy if you aren’t infected… You should have both anti-virus and anti-spyware software on your computer, and if you don’t, VIPRE is an effective yet economical solution — and comes with full support from Sunbelt). While I didn’t purposely infect my computer to test this, I’m pretty sure that VIPRE will be able to at least quarantine the infection (just be sure to update the definitions and run a full system scan, and let the scan complete itself. You might be surprised at what it finds — and neutralizes).

You do have to give Sunbelt Software a good email address in order to get your license key, but from past experience with Sunbelt, I can vouch for the fact that they won’t spam you or flood your Inbox with unwanted emails. After all, they are an award winning security company and take pride in their reputation… they aren’t about to ruin it by sending you a bunch of junk emails (but do expect a “reminder” when your 30 day trial is about to expire, along with an offer to purchase a one year license — which is very economically priced. They even offer a license that will cover all the computers in your house, which is the license that I purchased and use. And unlike other companies, there’s no “automatic renewal” or “forced continuity” — you have to specifically go back to them every year and renew your license. That’s a good thing!).

Stay safe out there…

P.S. — Just for fun, let’s look at a few more indicators that this is an email you don’t want to respond to:

• UPS doesn’t notify customers by email (as far as I know).
• UPS is not the Post Office!
• “deliver your parcel by your address” — bad grammar (how about, “deliver your parcel to your address”?).
• “Personaly” is spelled wrong.
• “Please attention!” — This is not a phrase that is used in normal U.S. English; however, it is a phrase that I might expect to hear from somebody whose native tongue is not English (and UPS would most likely use native English speakers for their correspondence within the U.S.).

Hope this helps you better identify spam!

NOTE: This posts contains one or more affiliate links. If you click on the link(s) and purchase something, I will receive a referral commission. It will not have any effect on the purchase price of the product. As a general rule, I do not accept free products for review and my decision to promote these products is based on my own satisfaction with the products after purchasing them and my desire to tell you about high quality products while generating revenue for my business. Any exceptions will be clearly noted. Thanks!

I just came across this article about not leaving mail in your car. Your mail contains all sorts of personal information that is of value to a thief. And if a thief has a copy of your bank statement and your home address, the balance just might convince them that a home invasion could be a profitable undertaking.

Do be careful.

As the PGP article also points out, you need to get a good cross-cut shredder and use it to shred “anything and everything” that you don’t need. You should also use a locking mailbox. While driving to the post office to pick up your mail can be a bit of an inconvenience, you can usually find one close to where you work or shop and the cost is minimal (and if you can find one within walking distance of your home, walking to the Post Office to check your mail would be an easy way to add some exercise to your daily routine). Consider it “cheap insurance”.

Now if you’ll excuse me, I need to go to my car…

I’ve been looking for a good tool that will obfuscate (or hide) my email address on websites. I wanted something that is easy for a legitimate visitor to see, yet would be impossible for those ‘bots that scrape the Internet, looking for email addresses on web pages that they can send their worthless spam to.

I think I’ve found one. I’m selling a printer that I no longer use, and if you look at that page, you can clearly read the email address that I’m using for this sale. Yet if you look at the page’s source code — which is what a ‘bot would look at — you can’t find the email address at all.

Neat, eh?

Here’s the script that does a neat job of hiding your email address. I like this one because it uses a fairly complex substitution pattern for your email address. Since it is JavaScript-based, it can be figured out by a smart programmer, but figuring it out is, in my opinion, probably beyond the capabilities of most spam ‘bots.

So give it a try and see if it works for you.

And “thanks” for the script, Amanda Fazani! And yes, she does use her own email scrambling script on her about me page…

Thanks to the good people at Sunbelt Software (makers of VIPRE Anti-Virus and Anti-Spyware, all of us now have a great resource that can help us identify if a program we stumble across on the Internet is a legitimate security product.

To get started, head over to their Rogue Anti Sypware blog and type the name of the product into the search box. If the product is in their database as a rogue product, it will tell you. Of course, if it’s a rogue product, don’t buy it and don’t click any links on the page (keep reading to find out what you can do — it won’t cost you a cent).

Above all, do not, repeat, do NOT buy a product simply because you get a popup or message on your computer telling you that you are infected. That’s always a bad idea. In many cases, the messages are fake and you’ve just given up your hard-earned money for nothing if you do purchase what they are selling. In other cases, not only do you lose your money for nothing when you buy, the rouge / fake site installs malware on your computer and / or takes your credit card details and sells them on the Internet.

Sunbelt recommends that you check out this partial list of legitimate anti virus software vendors. While it’s not 100% complete, it is a good place to start in your search for a legitimate company.

One final tip: Instead of handing over your hard earned money to a potential scammer to fix a potential security problem, download a copy of VIPRE Anti-Virus and Anti-Spyware. It’s fully functional and completely free for 15 days — and after that, you can purchase an annual license for much less than you’d pay to somebody selling a rogue security application. And my personal experience with them has been great; I’ve always received great support from them (and I first used their products back in 2001).

Read this post on Sunbelt Software’s blog for more information about this topic (it includes a link to a very informative PDF document on the subject).

I couldn’t have said it better myself (although I’ve been saying it for a long time): Use strong passwords:

• At least 12 characters.
• At least one upper case letter.
• At least one lower case letter.
• At least one number.
• At least one special character (those things above the numbers on your keyboard, etc.).
• Never use a word from a dictionary, regardless of the language.

Turns out that Adobe has admitted that their passwords can be guessed faster in Acrobat 9 than in Acrobat 8. In a way, that’s a good thing for two reasons. First, their customers get better performance. Second, HOPEFULLY it will “encourage” people to use strong passwords. Just use the guidelines I outlined above and you should be fine (and with Acrobat 9, you can have up to 127 characters in your password — that’s almost more than Twitter will let you have!).

While most security pros don’t recommend that you write down passwords, I do recommend that you write them down — but with a STRONG caveat: Write them down on a small piece of paper (like a blank business card). Do NOT write down the account that the password belongs to with the password, though! Then take that piece of paper and put it in your wallet with your money and credit cards — and protect it just like you would protect your money and credit cards. This way you’re more likely to use a hard to guess (and hard to crack) password.

One word of caution: If your workplace policies don’t allow you to write down passwords, then follow those policies. While I encourage you to discuss this issue with those who are responsible for security at your company (and feel free to share this blog post with them), following their policies is more important than listening to me. The owner or CEO has ultimate responsibility for the security of their computers and networks, so always do what they tell you to do.

But on your computers, you have the choice, and I encourage you to consider using my system.

Even better: Get RoboForm and you only have to write down one password — the master password that protects your password “vault” (if you have multiple computers, get the “ToGo” version and put it on a small thumb drive). Just don’t forget to make that password hard to guess — and don’t forget to change it every couple of months.

I’ve been using my current laptop for about three years now. I gave my old laptop to my wife when I got my current one. She doesn’t do much except for shopping and writing emails to a few friends.

I had installed some applications on that laptop before I passed it off to her and she recently asked me to remove them so that it would start up faster and free up some disk space. I did that, and then I defragmented the hard drive. It was working much better.

Just for the fun of it, I then decided to run Trend Micro’s Hijack This on that computer, along with Sunbelt Software’s VIPRE Anti-virus / Anti-Spyware. It didn’t find a single thing on it that was bad (outside of a few cookies, which aren’t really that big a deal from my perspective. I just delete them and move on).

The key here, I think, is that my wife doesn’t go off surfing to the four corners of the Internet. She goes to sites that she knows and trusts. She only opens emails from people she knows and trusts. She also trusts her “sixth sense”, and when something seems to be a bit questionable, she either ignores it or asks me. And that’s why I think her computer was so clean, even though I hadn’t checked it for quite some time.

Oh, and I don’t run anti-virus software on her computer, either — and you don’t have to, either, presuming you follow her best practices and have a certified computer security pro in the house to turn to when you have problems…

So stay away from those sites where you don’t really need to go. It will help ensure that your computer stays malware free.

Oh, and this is one of those sites you should visit…

Got Conficker? I certainly hope not!

Conficker is a form of malware that allows some unknown entity to take over your computer and do things that you’d rather not have done. It was first released last November (after the details of a Microsoft Windows vulnerability were made available). Since this threat is easily removed by applying the patch from Microsoft (NOTE: This link only works with Internet Explorer), there’s really no excuse for having an infected computer.

If the patch is readily available, then why is Conficker such a big problem?

• Because people don’t bother to patch their computer.
• Because they use illegal copies of Microsoft software and cannot patch it (there’s are many good reasons why you should pay for your software; this is just one of them).
• Because people use old operating system software that is no longer supported. The Conficker patch requires that you use Vista, XP with at least Service Pack 2, or Windows 2000 with Service Pack 4.

Let me talk a bit about outdated operating system software. Does Conficker affect computers that are still running Windows 98 and Windows ME? I don’t know, and to be honest, I doubt if Microsoft knows because they no longer support those operating systems. This means that any security vulnerabilities found in those products will not get patched (and it isn’t Microsoft that is finding any of these vulnerabilities; it is hackers and criminals). If you are still using those operating systems, you have chosen to accept this risk.

But back to Conficker — and the easy test to see if your computer is infected:

• Click here and follow the simple instructions to test your computer for Conficker.
• If certain images are not displaying (but others are), then head over to this Wikipedia article on Conficker to learn how to get rid of it. The best way is to use Microsoft’s Malicious Software Removal Tool, then install their patch. You get it all if you follow the first link in this blog post (but you’ll need to click on it in Internet Explorer for it to work).

Here’s hoping that you are Conficker-free, but if you are not, I hope that this helps you take care of the infection. And once you’ve taken care of the infection, get yourself a good, reliable anti-virus and anti-spyware solution to better protect your computer.